[pkg-uWSGI-devel] Bug#995368: libapache2-mod-proxy-uwsgi - CVE-2021-36160 regression, altered PATH_INFO
philippe.accorsi at algoo.fr
philippe.accorsi at algoo.fr
Sat Oct 9 21:13:30 BST 2021
Hi,
Thanks for your answer but also thanks for the information about wrong
configuration of apache.
I have tested both solution you explain here and both works good.
If I apply change in Apache configuration (like explain in the official
documentation about "/") my app works good.
If I just apply your Debian patch, app works good also.
So, we wait for the debian patch for the oldest installation and I now
can create a fix for Tracim project about wrong usage of "/" in apache2
configuration.
Thanks a lot for your solution :) :) :)
Best regards.
Philippe
Sys Admin Algoo
Le 2021-10-09 18:04, Sylvain Beucler a écrit :
> Hi,
>
> On 05/10/2021 18:41, Sylvain Beucler wrote:
>> forwarded 995368 https://bz.apache.org/bugzilla/show_bug.cgi?id=65616
>
> The Apache developers say there's an incorrect configuration in the
> first place. For example,
> ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081/
> should be
> ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081
> following the warning about slashes in the documentation:
> http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
>
> However, they are currently considering an additional patch to restore
> the previous (less strict) behavior.
>
> Philippe, Josef, I prepared a build with the new patch, so you can test
> early:
> https://people.debian.org/~beuc/lts/uwsgi/
> https://people.debian.org/~beuc/lts/uwsgi/libapache2-mod-proxy-uwsgi_2.0.14+20161117-3+deb9u5_amd64.deb
>
> I'm interested in your feedback.
>
> Cheers!
> Sylvain Beucler
> Debian LTS Team
More information about the pkg-uWSGI-devel
mailing list